Transcription

1 PI.lab: Privacy in 2014 Workshop Privacy Impact Assessments The NOREA-PIA: design and experience Wolter Karssenberg RE Member of the Knowledge Group Privacy Audits NOREA (NOREA is the professional association for IT-auditors in the Netherlands) Management Consultant and Co-owner Social Force (Social Force is an advisory firm in the field of reducing household debt, improving debt collection and protecting privacy) 1

3 EU DPR (LIBE-compromise): Recital 71a: Impact assessments are the essential core of any sustainable data protection framework and Data protection impact assessments should consequently have regard to the entire lifecycle management of personal data Recital 74a: Impact assessments can only be of help if controllers make sure that they comply with the promises originally laid down in them. Data controllers should therefore conduct periodic data protection compliance reviews demonstrating that the data processing mechanisms in place comply with assurances made in the data protection impact assessment. 3

4 EU DPR (LIBE-compromise): Article 32/33: Data Protection Impact Assessments required for operations that present specific risks, e.g.: More than 5,000 data subjects Large scale filing systems with location data, data on children or employees Profiling on which measures are based that significantly affect the data subject Article 33a: Compliance review required at least every two years after carrying out a PIA demonstrating that the processing is in compliance with the PIA (immediately when there is a change in specific risks) 4

9 NOREA-PIA roadmap: Determine who will perform the PIA and how this should be done Gather relevant information about the project Enter the PIA questionnaire Assess the impact and define additional measures Write the PIA report Optional: perform an (independent) evaluation of the PIA 9

11 The NOREA-PIA: experience NOREA-PIA pitfalls: Client: Ready for production, let s check privacy compliance with a PIA As small a scope as possible We ve executed a PIA, so we re compliant PIA professional: A fool with a tool is still a fool If all you have is a hammer, everything looks like a nail Hype Risk! 11

Standards for VET Regulators 2014 PART 1 Preliminary Name of Standards These Standards are the Standards for VET Regulators 2014.These Standards should be read in conjunction with the: VET Quality Framework

LC Paper No. CB(1)691/03-04(01) Information Paper for the Legislative Council Panel on Financial Affairs Protection of Consumer Credit Data Purpose Pursuant to the request by the Panel vide the Clerk to

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

Evidence guidelines Published by the National Regulatory System for Community Housing Directorate. Document Identification: 003-04-13/NRSD Publication date: January 2014 Supported by the Commonwealth Government

Data Breach Notification Duty Dr. Elisabeth Thole 31 October 2015 UIA Valencia Van Doorne 2 How is your cyber crime awareness? Either you have been data breached or you just do not know that you have been

Self assessment tool How well does your organisation comply with the 12 guiding principles of the surveillance camera code of practice? Complete this easy to use self assessment tool to find out if you

CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the

EN EN EN EUROPEAN COMMISSION Brussels, 12.7.2010 SEC(2010) 846 COMMISSION STAFF WORKING DOCUMENT SUMMARY OF THE IMPACT ASSESSMENT Accompanying document to the Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT

WG1: Reporting Tools Background info The definition of reporting tools, according to the statement of purpose of the CEO Coalition to make the Internet a Better Place for Children is: robust mechanisms

COCIR contribution to the public consultation on Personal Data Protection in the EU 1 European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry Bd. A. Reyers 80, 1030

Privacy and Data protection Impact Assessment Frequently Asked Questions 1. RFID Privacy Impact Assessment a. What is a Privacy Impact Assessment and where does it come from? It is a tool for companies

Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the

GOVERNANCE DEFINED Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts Governance over the use of technology assets can be seen

Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve

King Code of Corporate Governance for South Africa, 2009 (King III) checklist The Board of Directors (the Board) of Famous Brands Limited (Famous Brands or the company) is fully committed to business integrity,

TRANSPOSITION NOTE Directive 2013/11/EU on alternative dispute resolution for consumer disputes 1. This note describes the implementation in the United Kingdom of parts of the Directive 2013/11/EU of the

Planning for Success: Privacy Impact Assessment Guide Acknowledgement This guide is partially based on the Privacy Impact Assessment Guides and Tools developed by the Ministry of Government and Consumer

La Trobe University Compliance Framework Introduction The Compliance Framework documents the system and Compliance Process through which La Trobe University can monitor, review and comply with its legislative

International Ethics Standards Board for Accountants Exposure Draft December 2006 Comments are requested by April 30, 2007 Section 290 of the Code of Ethics Independence Audit and Review Engagements Section

EDRi amendments on the proposed Regulation laying down measures concerning the European single market for electronic communications and to achieve a Connected Continent, and amending Directives 2002/20/EC,

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction HIPAA Privacy Regulations-General The final HIPAA Privacy regulation was released on December 20, 2000 and was effective for compliance on April

International Federation of Accountants IFAC s Role and Major Initiatives John Kellas, IAASB Chairman FCM Seminar Cairo, September 2005 IFAC Today Expanding organization of 163 member bodies in 119 countries

Privacy, Records Management and Information Security at the University of Victoria A YEAR IN REVIEW 2015 Chief Information Officer, University Systems Chief Privacy Officer, Office of the University Secretary

1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

National Standards for Disability Services Indicators of Practice and Examples of Evidence for NDAP agencies Standard Indicator of Practice Examples of Evidence for NDAP agencies Standard 1: Rights The

Gap analysis tool worked example Key principles and application Significance of the Element 1: Leadership responsibilities for quality within the SAI Key principle: An SAI should establish policies and

LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

Human Services Quality Framework User Guide Purpose The purpose of the user guide is to assist in interpreting and applying the Human Services Quality Standards and associated indicators across all service

LEGAL SERVICES DIRECTIONS 2005 - COMPLIANCE FRAMEWORK Purpose of the Compliance Framework 1. The purpose of this Framework is to set out: the approach of the Office of Legal Services Coordination (OLSC)

INSURANCE BROKERS CODE OF PRACTICE INSURANCE BROKERS CODE OF PRACTICE OVERVIEW 4-5 IMPORTANT BACKGROUND INFORMATION What does the Code do for you? (Code Objectives) How to navigate the Code How up to date

This module should be read in conjunction with the Introduction and with the Glossary, which contains an explanation of abbreviations and other terms used in this Manual. If reading on-line, click on blue

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University

Terms of Business for Registered Support Providers The National Disability Insurance Scheme Act 2013 provides for the making of Rules and requirements for registered providers of support. The Rule National

BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

1 Use of Social Media Guidelines 2 Purpose Social media defined as media that allows the creation, exchange and distribution of user generated online content 1 offers us a range of new opportunities for

Vodafone Group Plc has a tax strategy focused on the following 6 key areas: Integrity in compliance and reporting Enhancing shareholder value Business partnering Influencing tax policy Developing our people

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment This template is provided to support the police service and other law enforcement agencies (LEA)

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER to THE FEDERAL TRADE COMMISSION In the Matter of Myspace, LLC FTC File No. 102 3058 June 8, 2012 By notice published on May 14, 2012, the Federal Trade

Sample Business Associate Agreement (4. Other Bus. Assoc., Version 6-06-05) This Business Associate Agreement (the Agreement ) is entered into as of, 20, (the Effective Date ) by and between, (the Covered

Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts The purpose of this document is to highlight the changes in the options available to Member States and Competent Authorities

Ethical Trading Initiative Management Benchmarks The Management Benchmarks are the means by which ETI (a) sets out its expectations of members and (b) measures members progress in applying the ETI Base

Establishing a Business Development Roadmap Designs Designs That That Work. Work. Before Have You Ever Experienced Something Similar To This? Proposal Process RFP Release Identify Identify Gaps Start Proposal

Testimony of Marilyn A. Pendergast, CPA Chair, Ethics Committee International Federation of Accountants (IFAC) before the New York State Senate Higher Education Committee Kenneth P. LaValle, Chairman Public

REALIZATION OF A RESEARCH AND DEVELOPMENT PROJECT (PRE-COMMERCIAL PROCUREMENT) ON CLOUD FOR EUROPE TECHNICAL SPECIFICATION: LEGISLATION EXECUTING CLOUD SERVICES ANNEX IV (D) TO THE CONTRACT NOTICE TENDER

Code of Conduct for Mobile Money Providers SOUNDNESS OF SERVICES FAIR TREATMENT OF CUSTOMERS SECURITY OF THE MOBILE NETWORK AND CHANNEL VERSION 2 - OCTOBER 2015 Introduction This Code of Conduct identifies

IPAA PROFESSIONAL CAPABILITIES PROJECT Procurement Capability Standards Definition Professional Role Procurement is the process of acquiring goods and/or services. It can include: identifying a procurement